CVE-2022-35202
📋 TL;DR
This vulnerability allows remote attackers to download the Java keystore containing SAML signing private keys via WebDAV in non-default configurations. Attackers can then forge SAML authentication requests, potentially compromising federated identity systems. Organizations using Sitevision 10.3.1 or older with WebDAV enabled and SAML configured are affected.
💻 Affected Systems
- Sitevision
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SAML-based authentication allowing attackers to impersonate any user, access all federated applications, and potentially pivot to other systems.
Likely Case
Attackers gain unauthorized access to federated applications by forging SAML assertions, leading to data breaches and privilege escalation.
If Mitigated
Limited impact if WebDAV is disabled, keystore is properly protected, or SAML is not implemented.
🎯 Exploit Status
Detailed exploitation methodology published in research blog. Attack involves WebDAV access to download keystore with weak auto-generated password.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Sitevision 10.3.2
Vendor Advisory: https://developer.sitevision.se/archives/release-notes/release-notes/2022-05-06-release-notes-sitevision-10.3
Restart Required: Yes
Instructions:
1. Download Sitevision 10.3.2 or newer from official vendor. 2. Backup current installation. 3. Apply update following vendor documentation. 4. Restart Sitevision services. 5. Verify keystore is no longer accessible via WebDAV.
🔧 Temporary Workarounds
Disable WebDAV
allDisable WebDAV functionality to prevent keystore download.
Modify Sitevision configuration to disable WebDAV module
Restrict WebDAV Access
allImplement IP-based restrictions or authentication for WebDAV endpoints.
Configure web server (Apache/Nginx) to restrict access to /webdav/* paths
🧯 If You Can't Patch
- Disable WebDAV functionality immediately
- Implement network segmentation to restrict access to Sitevision servers
🔍 How to Verify
Check if Vulnerable:
Check if WebDAV is enabled and accessible at /webdav/keystore.jks path. Attempt to download the keystore file.Check Version:
Check Sitevision administration panel or version file in installation directoryVerify Fix Applied:
Verify Sitevision version is 10.3.2 or newer and confirm keystore.jks is no longer accessible via WebDAV.📡 Detection & Monitoring
Log Indicators:
- WebDAV access logs showing keystore.jks downloads
- Failed authentication attempts to SAML endpoints
- Unusual SAML assertion patterns
Network Indicators:
- HTTP GET requests to /webdav/keystore.jks
- Unusual SAML traffic from unexpected sources
SIEM Query:
source="webdav_logs" AND (uri="/webdav/keystore.jks" OR filename="keystore.jks")